Discussion:
Welcome to the new(ish) ASRG list
John R. Levine
2013-03-16 22:02:45 UTC
Permalink
You should recently have gotten a welcome to the new ASRG list.

A few administrative details:

The list is running on majordomo2, an obscure but powerful list manager
with no relationship to the old majordomo beyond some similar commands.

It has both mail and web list management. Start here for the
obscure but powerful web interface:

http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org?func=lists-long-full&extra=asrg

Click "Sign In" at the top, use your address and the password it just sent
you. The pages are long, scroll down to find the good bits.

If you hate the list and want it to stop, send

unsubscribe asrg

to asrg-***@lists.gurus.org, or use the unsub link in the headers.

If you want a digest, send

set asrg digest

to asrg-***@lists.gurus.org.

If you have multiple e-mail addresses, send me a note and I will combine
them. (Take that, mailman!)

Any other questions, send me a note and I'll deal with it.

We now return to our occasional anti-spam discussions.

Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Chris
2013-03-16 23:08:16 UTC
Permalink
Hmm Hello John

it seems my account was reactivated, I deactivated it many years ago. In
fact I thought this group was disbanded!

But I was only just thinking about the group in the last day. Is this an act
of fate?

My thoughts were along the line of a stamp trading system. it works

Regards
Chris
Post by John R. Levine
You should recently have gotten a welcome to the new ASRG list.
The list is running on majordomo2, an obscure but powerful list manager
with no relationship to the old majordomo beyond some similar commands.
It has both mail and web list management. Start here for the obscure but
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org?func=lists-long-full&extra=asrg
Click "Sign In" at the top, use your address and the password it just sent
you. The pages are long, scroll down to find the good bits.
If you hate the list and want it to stop, send
unsubscribe asrg
If you want a digest, send
set asrg digest
If you have multiple e-mail addresses, send me a note and I will combine
them. (Take that, mailman!)
Any other questions, send me a note and I'll deal with it.
We now return to our occasional anti-spam discussions.
Regards,
Please consider the environment before reading this e-mail. http://jl.ly
John R. Levine
2013-03-16 23:37:03 UTC
Permalink
Post by Chris
My thoughts were along the line of a stamp trading system. it works
No, it doesn't, but go ahead and tell us about it.

R's,
John
Chris
2013-03-16 23:53:03 UTC
Permalink
haha I clicked send before I finished deleting the "it works" part. It was
supposed to be "it works by ..." but I decided to delete it as I haven't
fully formulated the idea yet. and I haven't even decided if it could work :)

Essentially its a reputation system. To send an email you need to attach a
stamp. if that stamp is successfully received it gives the sender a new
stamp so he can send another email.

the idea is a bulk email sender will have a very high failure rate and
therefore their supply of stamps will dwindle.

Its just the first thought in a system designed to get the process of
stopping spam away from the MTA and into the client application. It has been
solidly proven we can forget about ISP's implementing a consistent antispam
system

I had high hopes for spf but it seems to have done very little too few
sysadmins implement it.

Regards
Chris
Post by John R. Levine
Post by Chris
My thoughts were along the line of a stamp trading system. it works
No, it doesn't, but go ahead and tell us about it.
R's,
John
Bjartur Thorlacius
2013-03-16 23:58:47 UTC
Permalink
Post by Chris
haha I clicked send before I finished deleting the "it works" part. It
was supposed to be "it works by ..." but I decided to delete it as I
haven't fully formulated the idea yet. and I haven't even decided if
it could work :)
Essentially its a reputation system. To send an email you need to
attach a stamp. if that stamp is successfully received it gives the
sender a new stamp so he can send another email.
the idea is a bulk email sender will have a very high failure rate and
therefore their supply of stamps will dwindle.
Reminiscent of harassment tokens. So you want stamps to be WoT vetted?
Seems mildly difficult.
Neil Schwartzman
2013-03-17 00:19:59 UTC
Permalink
this sounds like a great idea,and you have some heavy backing for it, too.



Why I Hate Spam
Reprinted from The Wall Street Journal by Bill Gates

https://www.microsoft.com/presspass/ofnote/06-23wsjspam.mspx


Here's what he proposed:

Chairman Bill's ‘magic spam cure’ – a revenue opportunity?
http://www.theregister.co.uk/2004/01/28/chairman_bills_magic_spam_cure/
haha I clicked send before I finished deleting the "it works" part. It was supposed to be "it works by ..." but I decided to delete it as I haven't fully formulated the idea yet. and I haven't even decided if it could work :)
Essentially its a reputation system. To send an email you need to attach a stamp. if that stamp is successfully received it gives the sender a new stamp so he can send another email.
the idea is a bulk email sender will have a very high failure rate and therefore their supply of stamps will dwindle.
Its just the first thought in a system designed to get the process of stopping spam away from the MTA and into the client application. It has been solidly proven we can forget about ISP's implementing a consistent antispam system
I had high hopes for spf but it seems to have done very little too few sysadmins implement it.
Regards
Chris
Post by John R. Levine
Post by Chris
My thoughts were along the line of a stamp trading system. it works
No, it doesn't, but go ahead and tell us about it.
R's,
John
Chris
2013-03-17 02:25:55 UTC
Permalink
Unlike Bill Gates proposal I want to reduce the senders cost to as close to
nil as possible (except for spammers of course).

I was thinking when you pay your monthly fee to your ISP you get a certain
number of stamps. As long as the recipient accepts the email the stamp is
"refunded"it goes back into your stamp bank. If your ISP wont play ball you
can collect your stamps as an individual or organisation.

The stamp will act to authenticate you and your message.
Governments,banks,utilities etc will find a significant use for it. They of
course will need a much larger allotment of stamps. As long as they keep
their email lists clean the stamps will continue to circulate thus their
ongoing cost would be minimal.

The stamp would only authenticate the body of the message and the original
sender. Therefore forwarding etc will continue to work. the algorithm
would/should be able to pinpoint any non original text. so it could
highlight any text placed into the message during transport (man in the middle).

The idea that the mail user agent (mua) does the processing allows the whole
problem of ISP's lack of take up and open relays to be sidestepped. A
message is verified (through central stamp servers or WoT system) before the
user gets to see the email so while they at least receive the mail headers a
spam mail can be dropped before downloading the body.

It also sidesteps the whole patent and licensing issue, something that
negatively effected the uptake of SPF and Domain keys.

Unstamped emails can be routed to antispam filters or other action taken.

My impetus for thinking about this again after many years of giving up was
an email I sent to a collegue was filtered out by gmail because I spoke
about large sums of money. google decided I was a Nigerian scam!


Regards
Chris
this sounds like a /great/ idea,and you have some heavy backing for it, too.
Why I Hate Spam
*Reprinted from **The Wall Street Journal **by Bill Gates*
https://www.microsoft.com/presspass/ofnote/06-23wsjspam.mspx
Chairman Bill's ‘magic spam cure’ – a revenue opportunity?
http://www.theregister.co.uk/2004/01/28/chairman_bills_magic_spam_cure/
Post by Chris
haha I clicked send before I finished deleting the "it works" part. It
was supposed to be "it works by ..." but I decided to delete it as I
haven't fully formulated the idea yet. and I haven't even decided if it
could work :)
Essentially its a reputation system. To send an email you need to attach
a stamp. if that stamp is successfully received it gives the sender a new
stamp so he can send another email.
the idea is a bulk email sender will have a very high failure rate and
therefore their supply of stamps will dwindle.
Its just the first thought in a system designed to get the process of
stopping spam away from the MTA and into the client application. It has
been solidly proven we can forget about ISP's implementing a consistent
antispam system
I had high hopes for spf but it seems to have done very little too few
sysadmins implement it.
Regards
Chris
Post by John R. Levine
Post by Chris
My thoughts were along the line of a stamp trading system. it works
No, it doesn't, but go ahead and tell us about it.
R's,
John
John R. Levine
2013-03-17 02:42:09 UTC
Permalink
Post by Chris
Unlike Bill Gates proposal I want to reduce the senders cost to as close to
nil as possible (except for spammers of course).
I was thinking when you pay your monthly fee to your ISP you get a certain
number of stamps. As long as the recipient accepts the email the stamp is
"refunded"it goes back into your stamp bank. If your ISP wont play ball you
can collect your stamps as an individual or organisation.
This, ah, isn't exactly a new idea. You might want to look at the white
paper I wrote in 2004 about e-postage.

It's #2 at http://www.taugh.com/

Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Chris
2013-03-17 04:50:22 UTC
Permalink
Cool

Hadn't read that or anything like it. Even though its not new, a system of
refundable stamps may well be a system worth revisiting. Nothing else has
worked.
in 'my version' refunding is not optional. when you validate the stamp it is
automatically refunded and is also 'used'. similar I guess in the way that
bitcoin works.

For me I do a lot of government work. It frightens me that governments and
banks and utilities are actively teaching people to become victims of fraud
because they insist on using email for personal communications. The most
frightening of these systems does not involve email at all. I had my banks
automated system phone me and then ask for my 'security response' so it
could pass on a message. Absolutely crazy. yet when I rang and spoke to them
and followed it up with a letter describing why it was so dangerous their
answer was "it works for us".

One government project I was recently on, we proposed signing all the emails
sent. Sadly the mail provider stated that previous attempts had failed
because Outlook's handling of signed emails was patchy and poor. So we fell
back like most do to unsigned plain text emails.

The idea of hashcash has always made me chuckle.

Regards
Chris
Post by John R. Levine
Post by Chris
Unlike Bill Gates proposal I want to reduce the senders cost to as close
to nil as possible (except for spammers of course).
I was thinking when you pay your monthly fee to your ISP you get a
certain number of stamps. As long as the recipient accepts the email the
stamp is "refunded"it goes back into your stamp bank. If your ISP wont
play ball you can collect your stamps as an individual or organisation.
This, ah, isn't exactly a new idea. You might want to look at the white
paper I wrote in 2004 about e-postage.
It's #2 at http://www.taugh.com/
Regards,
Please consider the environment before reading this e-mail. http://jl.ly
John R. Levine
2013-03-17 04:57:28 UTC
Permalink
Post by Chris
Hadn't read that or anything like it. Even though its not new, a system of
refundable stamps may well be a system worth revisiting. Nothing else has
worked.
I don't see anything that's changed since 2004 that would make them any
more workable now than they were then.

Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Chris
2013-03-17 05:09:57 UTC
Permalink
Hmm Maybe

but nothing else has worked. Perhaps its time to revisit old ideas with a
fresh perspective.

My favourite idea back then was collect mail. I could not believe nor
understand the attitude from many members of this list that it was not the
senders responsibilty to store emails until collected. To me it was the sole
responsibility of the sender (or their isp) to store until collection. Data
retention laws will soon do the same thing anyway.

It also has the added advantage that email lists are automatically pruned.
To me it was a very good solution, particularly for important emails such as
the banking system. uncollected mail could be automatically forwarded for
follow up if the subject matter was of high importance. such as "your
account is overdue".

But people as they are tend to poo poo any ideas which they didn't think of.

Regards
Chris
Post by John R. Levine
Post by Chris
Hadn't read that or anything like it. Even though its not new, a system
of refundable stamps may well be a system worth revisiting. Nothing else
has worked.
I don't see anything that's changed since 2004 that would make them any
more workable now than they were then.
Regards,
Please consider the environment before reading this e-mail. http://jl.ly
Brendan Hide
2013-03-17 08:18:06 UTC
Permalink
Hi, Chris

Slightly off track to the previous topic:
The primary issue I see with any payment-type solution is that it
advocates a big change in an existing ecosystem that many vendors simply
will not support.

Back on track:
The pull model was suggested by DJB a while ago - see
https://en.wikipedia.org/wiki/Internet_Mail_2000
The idea certainly has its merits, except for the same vendor issue
mentioned above. The project has a catch-22 issue. Vendors will not put
resources into a project until it has momentum. The project will not
have momentum until vendors input resources. Sigh.

When considering my ideas, I use a list along these lines as a litmus
test: http://craphound.com/spamsolutions.txt

Though the list is most definitely cynical, it is so for a reason. Think
critically about each item and how it really could affect your idea. The
last thing email needs are interesting ideas that turn out to be
worthwhile only in the short term - but with long-term consequences.
Post by Chris
Hmm Maybe
but nothing else has worked. Perhaps its time to revisit old ideas
with a fresh perspective.
My favourite idea back then was collect mail. I could not believe nor
understand the attitude from many members of this list that it was not
the senders responsibilty to store emails until collected. To me it
was the sole responsibility of the sender (or their isp) to store
until collection. Data retention laws will soon do the same thing anyway.
It also has the added advantage that email lists are automatically
pruned. To me it was a very good solution, particularly for important
emails such as the banking system. uncollected mail could be
automatically forwarded for follow up if the subject matter was of
high importance. such as "your account is overdue".
But people as they are tend to poo poo any ideas which they didn't think of.
Regards
Chris
Post by John R. Levine
Post by Chris
Hadn't read that or anything like it. Even though its not new, a
system of refundable stamps may well be a system worth revisiting.
Nothing else has worked.
I don't see anything that's changed since 2004 that would make them
any more workable now than they were then.
Regards,
Please consider the environment before reading this e-mail. http://jl.ly
--
__________
Brendan Hide
http://swiftspirit.co.za/
http://www.webafrica.co.za/?AFF1E97
Richi Jennings
2013-03-17 09:25:37 UTC
Permalink
I note that Esther Dyson continues to try drumming up support for e-postage.

Probably because she invested in the notorious C/R spammer, Boxbe ;-)

// ***@richi.co.uk +44.7789.200701 / 1.408.256.0084 (vm)
// Skype, Twitter, Facebook, etc.: http://richij.com/contact
Neil Schwartzman
2013-03-17 13:34:47 UTC
Permalink
Indeed. I had breakfast with her recently, she was particularly jazzed on the Facebook idea of charging people to send email to unknown correspondents for, at the time $100.

I'd like to get in on that action, too. I don't know a great many people on this list, so please cut me a cheque for say … $25 (I'm no Esther Dyson) and I promise to read your email.

Alternatively, I'll sell you Esther Dyson's email address for $75.

N

(One thing that occurs to me is that this thread is predicated on an flawed assumption:

"It has been solidly proven we can forget about ISP's implementing a consistent anti -spam system"

I'd argue much the opposite Spam as a problem was solved several years ago. I'll elaborate. Botnet spam is easily dealt with. DNSBLs like The CBL (which doesn't operate solely by IP but also by botnet signature) stop the vast majority of botnet spam. Greymail spam from 'legitimate' is dealt with by reputation systems such as whitelisting and proprietary systems at the free mail providers, particularly Gmail and Hotmail. Those will become more common.

What is an increasing problem is malware - distributed in any number of ways, including drive by sites and social media and any messaging channel you might think of, both land and mobile-based. And yes, SMS Spam has made that landscape as polluted as email was six years ago, but with additional complications.)
Post by Richi Jennings
I note that Esther Dyson continues to try drumming up support for e-postage.
Probably because she invested in the notorious C/R spammer, Boxbe ;-)
// Skype, Twitter, Facebook, etc.: http://richij.com/contact
John Levine
2013-03-17 17:43:36 UTC
Permalink
Post by Richi Jennings
I note that Esther Dyson continues to try drumming up support for e-postage.
Probably because she invested in the notorious C/R spammer, Boxbe ;-)
Other way around.

Esther's spam problem is not like other people's spam problem. She
has large numbers of random strangers pitching business plans to her,
asking her to speak at conferences, and such. It's all from real
people sent only to her, but there's little of it she wants to read.
It has always seemed to me that a $25 or $100 reading fee would lead
to adverse selection, but we're unlikely ever to know.

I had a very pleasant lunch with Thede Loder, the head guy at Boxbe,
before it collapsed. He was entirely aware that C/R sucks, and the
point of Boxbe was to appeal to people with Esther's problem, or the
much larger class of people who think they have Esther's problem. (As
he noted, there is a significant overlap with venture capitalists,
which helped funding.) Boxbe was just what she wanted.

Unfortunately for Thede, he tripped over some patents owned by another
spam filtering company, the lawsuits drained their cash and they went
out of business.

Thede is the same guy who invented refundable e-postage as attention
bonds about a decade ago. He was surprised when I told him that they
were the same thing as Phil Raymond's Vanquish, and Phil already had a
patent on it.

R's,
John
David Nicol
2013-03-18 02:35:26 UTC
Permalink
Hmm. Tipjar's "minimum tip amount" from 1996 is supposed to function as a
prior art defense against potential patent claims, in my e-postage plans.
These people -- the in-demand public person, who needs a new contact filter
rather than having a new contact problem -- certainly look like a
low-hanging fruit.
Post by John Levine
Esther's spam problem is not like other people's spam problem. She
has large numbers of random strangers pitching business plans to her,
asking her to speak at conferences, and such. It's all from real
people sent only to her, but there's little of it she wants to read.
It has always seemed to me that a $25 or $100 reading fee would lead
to adverse selection, but we're unlikely ever to know.
I had a very pleasant lunch with Thede Loder, the head guy at Boxbe,
before it collapsed. He was entirely aware that C/R sucks, and the
point of Boxbe was to appeal to people with Esther's problem, or the
much larger class of people who think they have Esther's problem. (As
he noted, there is a significant overlap with venture capitalists,
which helped funding.) Boxbe was just what she wanted.
Unfortunately for Thede, he tripped over some patents owned by another
spam filtering company, the lawsuits drained their cash and they went
out of business.
Thede is the same guy who invented refundable e-postage as attention
bonds about a decade ago. He was surprised when I told him that they
were the same thing as Phil Raymond's Vanquish, and Phil already had a
patent on it.
R's,
John
--
"When men drink, they get wealthy, they are successful, they win their
lawsuits,
they become happy and help out their friends." -- Aristophanes (well, a
character he wrote)
Brendan Hide
2013-03-17 10:54:23 UTC
Permalink
I agree wholeheartedly on the idea of internal implementation.

I think the best way to "get things done" is to get the largest chunks
of the greater ecosystem to co-operate with each other directly.

A (very small) example of this, and appropriate to your mentioning of
banks, is that we have been asked by local banks to treat their SPF
records as having "-all" no matter if they actually have that in the
public DNS.

My own most recent idea involved a new authentication method,
effectively single sign-on for outbound mail using
automatically-generated keys. The "big thing" with my concept was that
it would be trivial for a responsible ISP to cut off abused MUAs (and
email accounts) in an entirely automated fashion.

The primary downside to the concept was that MTAs, MUAs, and Mail
Exchangers would need to be modified to support the new authentication
method before it could be effective.

Probably the biggest thing that could help would be if a large freemail
organisation implemented one of these great ideas, made it publically
functional, and ran with it (well ... that is generally what has worked
in the past anyway).
I agree with you on the point of "collect mail" I am aware of mail
2000 researching it a long time ago.
As I have stated the solution should be transport and legislation
agnostic. It should sit happily on top of SMTP. that way it does not
require a big change to the current ecosystem. just a recognition that
something needs to be done.
If say a plugin could be developed for each of the major user agents
that made use of a stamp (or some other system such as collect mail)
then the job is to get security concious organisations to request
their users install the plugin. That's why I keep talking about banks.
Another way is to get large independant ecosystems to implement the
solution internally. Universities are prime targets for the growth of
new technology.
Of course. we could just read that list at craphound say its all too
hard and put our collective heads back in the sand.
Regards
Chris
Post by Brendan Hide
Hi, Chris
The primary issue I see with any payment-type solution is that it
advocates a big change in an existing ecosystem that many vendors
simply will not support.
The pull model was suggested by DJB a while ago - see
https://en.wikipedia.org/wiki/Internet_Mail_2000
The idea certainly has its merits, except for the same vendor issue
mentioned above. The project has a catch-22 issue. Vendors will not
put resources into a project until it has momentum. The project will
not have momentum until vendors input resources. Sigh.
When considering my ideas, I use a list along these lines as a litmus
test: http://craphound.com/spamsolutions.txt
Though the list is most definitely cynical, it is so for a reason.
Think critically about each item and how it really could affect your
idea. The last thing email needs are interesting ideas that turn out
to be worthwhile only in the short term - but with long-term
consequences.
Post by Chris
Hmm Maybe
but nothing else has worked. Perhaps its time to revisit old ideas
with a fresh perspective.
My favourite idea back then was collect mail. I could not believe
nor understand the attitude from many members of this list that it
was not the senders responsibilty to store emails until collected.
To me it was the sole responsibility of the sender (or their isp) to
store until collection. Data retention laws will soon do the same
thing anyway.
It also has the added advantage that email lists are automatically
pruned. To me it was a very good solution, particularly for
important emails such as the banking system. uncollected mail could
be automatically forwarded for follow up if the subject matter was
of high importance. such as "your account is overdue".
But people as they are tend to poo poo any ideas which they didn't think of.
Regards
Chris
Post by John R. Levine
Post by Chris
Hadn't read that or anything like it. Even though its not new, a
system of refundable stamps may well be a system worth revisiting.
Nothing else has worked.
I don't see anything that's changed since 2004 that would make them
any more workable now than they were then.
Regards,
Please consider the environment before reading this e-mail.
http://jl.ly
--
__________
Brendan Hide
http://swiftspirit.co.za/
http://www.webafrica.co.za/?AFF1E97
Franck Martin
2013-03-17 11:06:40 UTC
Permalink
You mean like DMARC?

Printed on recycled paper!
Post by Brendan Hide
I agree wholeheartedly on the idea of internal implementation.
I think the best way to "get things done" is to get the largest chunks of the greater ecosystem to co-operate with each other directly.
A (very small) example of this, and appropriate to your mentioning of banks, is that we have been asked by local banks to treat their SPF records as having "-all" no matter if they actually have that in the public DNS.
My own most recent idea involved a new authentication method, effectively single sign-on for outbound mail using automatically-generated keys. The "big thing" with my concept was that it would be trivial for a responsible ISP to cut off abused MUAs (and email accounts) in an entirely automated fashion.
The primary downside to the concept was that MTAs, MUAs, and Mail Exchangers would need to be modified to support the new authentication method before it could be effective.
Probably the biggest thing that could help would be if a large freemail organisation implemented one of these great ideas, made it publically functional, and ran with it (well ... that is generally what has worked in the past anyway).
I agree with you on the point of "collect mail" I am aware of mail 2000 researching it a long time ago.
As I have stated the solution should be transport and legislation agnostic. It should sit happily on top of SMTP. that way it does not require a big change to the current ecosystem. just a recognition that something needs to be done.
If say a plugin could be developed for each of the major user agents that made use of a stamp (or some other system such as collect mail) then the job is to get security concious organisations to request their users install the plugin. That's why I keep talking about banks.
Another way is to get large independant ecosystems to implement the solution internally. Universities are prime targets for the growth of new technology.
Of course. we could just read that list at craphound say its all too hard and put our collective heads back in the sand.
Regards
Chris
Post by Brendan Hide
Hi, Chris
The primary issue I see with any payment-type solution is that it advocates a big change in an existing ecosystem that many vendors simply will not support.
The pull model was suggested by DJB a while ago - see https://en.wikipedia.org/wiki/Internet_Mail_2000
The idea certainly has its merits, except for the same vendor issue mentioned above. The project has a catch-22 issue. Vendors will not put resources into a project until it has momentum. The project will not have momentum until vendors input resources. Sigh.
When considering my ideas, I use a list along these lines as a litmus test: http://craphound.com/spamsolutions.txt
Though the list is most definitely cynical, it is so for a reason. Think critically about each item and how it really could affect your idea. The last thing email needs are interesting ideas that turn out to be worthwhile only in the short term - but with long-term consequences.
Post by Chris
Hmm Maybe
but nothing else has worked. Perhaps its time to revisit old ideas with a fresh perspective.
My favourite idea back then was collect mail. I could not believe nor understand the attitude from many members of this list that it was not the senders responsibilty to store emails until collected. To me it was the sole responsibility of the sender (or their isp) to store until collection. Data retention laws will soon do the same thing anyway.
It also has the added advantage that email lists are automatically pruned. To me it was a very good solution, particularly for important emails such as the banking system. uncollected mail could be automatically forwarded for follow up if the subject matter was of high importance. such as "your account is overdue".
But people as they are tend to poo poo any ideas which they didn't think of.
Regards
Chris
Hadn't read that or anything like it. Even though its not new, a system of refundable stamps may well be a system worth revisiting. Nothing else has worked.
I don't see anything that's changed since 2004 that would make them any more workable now than they were then.
Regards,
Please consider the environment before reading this e-mail. http://jl.ly
--
__________
Brendan Hide
http://swiftspirit.co.za/
http://www.webafrica.co.za/?AFF1E97
Brendan Hide
2013-03-17 12:01:50 UTC
Permalink
Post by Franck Martin
You mean like DMARC?
DMARC certainly looks interesting - but no, it is not like my idea.
Unless you're referring to the point of "cooperation" - there it looks
like they are achieving good momentum through simple cooperation.

My idea is certainly not fully fleshed out - there are aspects of it
which may seem unnecessary and there are aspects which are probably
useless or wrong.

Heavily summarised, see below:

Configuration:
When first configuring the MUA, a password for the account can be used
to retrieve a key. This is the only time the account password should be
needed.

Sending:
MUA generates an authentication token for itself from it's key. The
authentication token is intended to be "one-shot".
MUA attempts to send email directly to MX records using the
authentication token. If the MX server doesn't support the
authentication method then the MUA must fail over to using its own MTA
with the "old-school" method.
The MX server verifies the authentication token with the MTA and records
the verification information in the headers. If this verification fails
then an error is given to the sending MUA and the session is ended by
the MX server. Additional information can be given by the MTA in the
error or success messages to the MX server to ensure accurate and
responsible delivery or rejection messages.
Assuming success, the MUA completes sending the mail to the MX server
which accepts the message.
The mail is delivered to the end-recipient.

From the above you may deduce that this obsoletes Sender Callout
Verification.

Reporting:
In the situation where the mail is determined to be spam (This could be
any function within the recipient domain, from the user simply moving
the mail to a "Junk" folder, to the MX server noting that it has a very
high spam score):
The MX server (or end-recipient MUA) contacts the sender's MTA with the
authentication token and verification information that is already in the
mail's headers and reports that the mail is Spam.
The MTA can then make an automated decision of whether or not to suspend
the sender. It could suspend the MUA or the account entirely.

The MTA can take a lot of data into account on when an account or MUA
access should be suspended, however the primary means will probably be
the number of reported spam messages.

RBLs:
RBLs would NOT be obsoleted by this. In fact it will make new RBLs very
important. An ISP implementing measures such as this but, for whatever
reason not enforcing the suspension measures, would end up being listed
in these new RBLs. Effectively an incompetent or irresponsible ISP's
customers would not be able to authenticate emails using this method and
they would lose any advantage gained by using it.
--
__________
Brendan Hide
http://swiftspirit.co.za/
http://www.webafrica.co.za/?AFF1E97
Barry Shein
2013-03-17 18:01:02 UTC
Permalink
Post by Brendan Hide
Hi, Chris
The primary issue I see with any payment-type solution is that it
advocates a big change in an existing ecosystem that many vendors simply
will not support.
How would you know they wouldn't support it?

How could you possibly know this?

People on this list make assertions like this all the time and I find
them as preposterous as arithmetic errors.

These discussions have a definite bias towards: Don't try to change
anything, nobody will join your parade.

I'd love to see a (voluntary of course) moratorium on such comments
unless they're backed by something plausible.

In a case like this I couldn't even imagine what that would be but hey
try me I'm open-minded.

But for example even surveys would be suspect unless highly focused
because vendors et al don't really know what they want vis a vis this
issue other than to jump on a bandwagon they heard is working for
others.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
John R. Levine
2013-03-17 18:09:57 UTC
Permalink
Post by Barry Shein
Post by Brendan Hide
The primary issue I see with any payment-type solution is that it
advocates a big change in an existing ecosystem that many vendors simply
will not support.
How would you know they wouldn't support it?
How could you possibly know this?
Um, because we talk to them, and have a pretty good idea how much a
micropayment system that has to handle billions of transactions a day
would cost?

Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Barry Shein
2013-03-17 18:52:25 UTC
Permalink
Post by John R. Levine
Post by Barry Shein
Post by Brendan Hide
The primary issue I see with any payment-type solution is that it
advocates a big change in an existing ecosystem that many vendors simply
will not support.
How would you know they wouldn't support it?
How could you possibly know this?
Um, because we talk to them, and have a pretty good idea how much a
micropayment system that has to handle billions of transactions a day
would cost?
So 5 or so years ago you would've valued their opinion on whether they
would ever advertise on a social network?

As I said, they jump on whatever bandwagon seems to be working which
is completely reasonable.

It's simply not a measurable fact, or just asserting it based on
hearsay isn't a measurement.

As to billions of transactions what about the DNS system? Can't
possibly work?

There are ways to scale down the number of actual transactions,
decentralize etc.

For example given a cryptographic stamp and an ISP's motivation the
ISP could verify each outgoing stamp used by a customer before letting
it out since in theory they're the ones who issued those stamps, much
like they might issue IP addresses and block any originating from w/in
their network which isn't part of their re-delegation blocks.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Neil Schwartzman
2013-03-17 18:55:38 UTC
Permalink
Sounds to me like TheWorld.com could be a groundbreaker again, in this case. Why not try it, and see how it turns out?
Post by Barry Shein
given a cryptographic stamp and an ISP's motivation
John Levine
2013-03-17 19:40:23 UTC
Permalink
Post by Barry Shein
Post by John R. Levine
Um, because we talk to them, and have a pretty good idea how much a
micropayment system that has to handle billions of transactions a day
would cost?
So 5 or so years ago you would've valued their opinion on whether they
would ever advertise on a social network?
Huh?

Running a transaction system that has to handle billions of
transactions a day is a notably unsolved problem, and not for lack of
trying. The synchronization required to deter double spending of
coins or stamps or whatever you want to call them is inherently very
difficult.

On the other hand, if we're allowed to wave our hands and assert that
it exists, please assert me a rainbow pony at the same time.
Post by Barry Shein
As to billions of transactions what about the DNS system? Can't
possibly work?
Please don't tell me that it's news to you that the DNS is read-only.
Post by Barry Shein
For example given a cryptographic stamp and an ISP's motivation the
ISP could verify each outgoing stamp used by a customer before letting
it out since in theory they're the ones who issued those stamps, much
like they might issue IP addresses and block any originating from w/in
their network which isn't part of their re-delegation blocks.
You're describing rate limiting outgoing mail from a network's own
hosts. It's not a bad idea, lots of ISPs do it, and it doesn't
require stamps.

R's,
John
Barry Shein
2013-03-17 20:06:05 UTC
Permalink
Post by John Levine
Post by Barry Shein
Post by John R. Levine
Um, because we talk to them, and have a pretty good idea how much a
micropayment system that has to handle billions of transactions a day
would cost?
So 5 or so years ago you would've valued their opinion on whether they
would ever advertise on a social network?
Huh?
Running a transaction system that has to handle billions of
transactions a day is a notably unsolved problem, and not for lack of
trying. The synchronization required to deter double spending of
coins or stamps or whatever you want to call them is inherently very
difficult.
Which basically pits the best as the enemy of the good.

But it's a valid point.

Which is why I suggested a verification system analogous to SPF for
example.
Post by John Levine
On the other hand, if we're allowed to wave our hands and assert that
it exists, please assert me a rainbow pony at the same time.
Asking a question and then answering it doesn't seem constructive.
Post by John Levine
Post by Barry Shein
As to billions of transactions what about the DNS system? Can't
possibly work?
Please don't tell me that it's news to you that the DNS is read-only.
Verification of a stamp wouldn't have to be much different from a DNS
query. "Is the following n-tuple (perhaps source plus stamp) valid?",
or likely valid would be far better than what we have now.

A server would know, for example, that every stamp coming out of an
AT&T IP block has to have certain cryptographic characteristics, and
the same coming out of some other block would be invalid. Etc.

Hey, that's engineering and it doesn't have to be mathematically
perfect to achieve its goal.

But most importantly it could potentially create an economy to go
after counterfeiters, or block them more effectively.

One thing I've said for many years is that what anti-spam activity
lacks is much any economy, beyond appliances and similar which is good
but not that universal.

As an analogy, you COULD set up your own root server and sell your own
domains, do alternative DNS. But beyond some point ICANN would come
down on you like white on rice, as they have in the past.

Why? Because unlike anti-spam ICANN (et al) has a billion dollar
industry and maybe $150M/year in revenue directly to them to protect.

That should be the real goal IMHO, how do we create or encourage an
effective economics to combat spam?
Post by John Levine
Post by Barry Shein
For example given a cryptographic stamp and an ISP's motivation the
ISP could verify each outgoing stamp used by a customer before letting
it out since in theory they're the ones who issued those stamps, much
like they might issue IP addresses and block any originating from w/in
their network which isn't part of their re-delegation blocks.
You're describing rate limiting outgoing mail from a network's own
hosts. It's not a bad idea, lots of ISPs do it, and it doesn't
require stamps.
No because the RECIPIENT also wants to see that stamp once it passes
the ISP.

The ISP checking would only be optional, smaller concerns such as
companies wouldn't be obliged to check anything, only the recipient
really has an interest in checking beyond scaling considerations some
big ISPs and similar might have.

I might for example choose to accept some valid stamps and not others,
again depending on the n-tuple.

But the point is mail would have to have a valid stamp to get thru
sites which choose to participate (one wouldn't have to) which beyond
some pre-allocated limit (TBD) would have to be bought.

Since spammers have to send out literally billions of spam emails per
day to be economically effective it potentially turns that equation in
favor of the honest user without, potentially, over-burdening even a
site which legitimately sends millions of email msgs.

I'd guess wildly and for discussion's sake that a price like
$100/million would be acceptable as a cost of doing business to, e.g.,
Amazon, particularly if they saw some value to them, but unworkable
for spammers.

I think our estimate of top spammers is on the order of a billion msgs
sent per day per each? That would be $1,000/day, I don't think they
have that kind of economics.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
John Levine
2013-03-17 22:25:22 UTC
Permalink
Post by Barry Shein
Post by John Levine
Running a transaction system that has to handle billions of
transactions a day is a notably unsolved problem, and not for lack of
trying. The synchronization required to deter double spending of
coins or stamps or whatever you want to call them is inherently very
difficult.
Which basically pits the best as the enemy of the good.
No, it's the real as the enemy of the fantasy. I'd like space based
lasers to zap spammers in real time, too.
Post by Barry Shein
Verification of a stamp wouldn't have to be much different from a DNS
query. "Is the following n-tuple (perhaps source plus stamp) valid?",
or likely valid would be far better than what we have now.
Oh, OK. So you give me one stamp, and I use it on 100,000,000 million
pieces of mail, each of which verifies. Seems reasonable.

If that's not what you mean, the double spending problem is what makes
the giant transaction system intractable.

On the other hand, if you're only talking about rate limiting mail
sent from an individual ISP by its customers, that is a solved
technical problem that doesn't need stamps.

R's,
John
Barry Shein
2013-03-18 20:01:45 UTC
Permalink
Post by John Levine
Post by Barry Shein
Verification of a stamp wouldn't have to be much different from a DNS
query. "Is the following n-tuple (perhaps source plus stamp) valid?",
or likely valid would be far better than what we have now.
Oh, OK. So you give me one stamp, and I use it on 100,000,000 million
pieces of mail, each of which verifies. Seems reasonable.
If that's not what you mean, the double spending problem is what makes
the giant transaction system intractable.
Counterfeiting has been a problem with physical money and postage
since they were both invented (for postage think: metered stamping of
bulk postal mail.)

So although it's a worthwhile issue to raise it's not clear that it's
a show-stopper.

The first consideration is the cost of successful counterfeiting.

Some spam gets through.

But that happens now.

So that cost is zero, plus or minus any added processing.

The second is detection and the likelihood of getting caught. Like
other counterfeiting one presumes the penalties would be significant.

Seems like it would be improved with a cryptographic stamp since right
now we have nothing like this.

And prevention.

That would be improved by use of an n-tuple. If instead of just
verifying the stamp's validity you also consider the sending source
(were they issued that range of stamps? a very cheap question to ask a
distributed db) prevention and detection would be improved.

Much like they probably do with metered postage. I'd imagine the first
check when something suspicious shows up is checking whether meter
number NNNNNNN (it's in the stamp image) is located in the city where
the questionable mail (or more likely 10,000 pieces) just showed up
for delivery, originating PO, the source? It's not a sure positive but
it's a very good start, a smell test.
Post by John Levine
On the other hand, if you're only talking about rate limiting mail
sent from an individual ISP by its customers, that is a solved
technical problem that doesn't need stamps.
THE RECIPIENT CAN CHECK IT ALSO and customize their own
decision-making or deploy more recent or more strenuous or even just
different policies such as we don't want any of that cheap RX email
even if they do pay for their stamps but it sure is handy to know
their meter prefix and put it in the no thank you list.

Much like throwing out anything which isn't 1st class mail at home, up
to the recipient.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
John Levine
2013-03-18 21:44:34 UTC
Permalink
Post by Barry Shein
Post by John Levine
If that's not what you mean, the double spending problem is what makes
the giant transaction system intractable.
Counterfeiting has been a problem with physical money and postage
since they were both invented (for postage think: metered stamping of
bulk postal mail.)
Double spending has nothing to do with counterfeiting.

R's,
John
Barry Shein
2013-03-19 00:21:02 UTC
Permalink
Post by John Levine
Post by Barry Shein
Post by John Levine
If that's not what you mean, the double spending problem is what makes
the giant transaction system intractable.
Counterfeiting has been a problem with physical money and postage
since they were both invented (for postage think: metered stamping of
bulk postal mail.)
Double spending has nothing to do with counterfeiting.
You're splitting hairs, if I spend the same token more than once the
subsequent tokens are in effect counterfeit.

Fraudulent, if you prefer.

I can also replicate a (paper) postage meter stamp on an envelope over
and over with a color printer w/o moving the postage meter's meter
forward.

I'd call that counterfeiting but we could choose another word.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
John Levine
2013-03-19 01:49:29 UTC
Permalink
Post by Barry Shein
Post by John Levine
Double spending has nothing to do with counterfeiting.
You're splitting hairs, if I spend the same token more than once the
subsequent tokens are in effect counterfeit.
Fraudulent, if you prefer.
The difference is that since all digital copies are perfect, all of
the copies of the stamp are real, and the only way to tell that it's
been spent is to try to cash it and see what the issuer says.
Counterfeit money or stamps may look real, but the fake ones are
different in some way from real ones.

Once again, this is a well known difficult problem for any digital
currency, one that has never been solved at scale.

R's,
John

PS: It's also one that I wrote about in my e-postage white paper ten
years ago. It was hard then, and it's hard now.
Barry Shein
2013-03-19 02:53:14 UTC
Permalink
Post by John Levine
Once again, this is a well known difficult problem for any digital
currency, one that has never been solved at scale.
I'm actually quite familiar with the double-spending problem.

One difference with e-postage is that the downside is different, some
email gets accepted with fraudulent postage. Not a big deal.

That's a very different failure mode than, for example, buying stuff
on Amazon with double-spent e-currency.

Large-scale Fraud should pretty easy to detect. Small scale fraud
isn't very interesting:

An e-postage stamp contains an authority server id.

You query the authority server, there could be many, much like you
would with DNS.

It returns yes/no, basically, and remembers the id of the stamp.

It won't return yes again for that exact stamp id.

There can be multiple layers of plausibility filtering, such as the
(sender,stamp-id) tuple.

To improve distribution you have two tools:

1. The embedded stamp authority id can refer to any one of many
different authority servers.

2. Like DNS the id verification can be hierarchical and redirect to
other servers.

Caching locally is a possibility, although not necessary, just like
DNS, again.

A large site might choose to watch for duplicates.

This of course does not improve or inform the id servers but might be
a practical trade-off particularly if one is likely to be bombarded by
a million fraudulent stamps if they are hit by any (e.g., large ISPs.)

That challenges the spammer to not send duplicates to any one site,
particularly if they suspect it is doing local caching.

I believe one can make it difficult to generate valid stamp-ids w/o
some cryptographic key.

Which, if true, leaves the spammer only having access to stamp-ids
which are valid and then re-spending them.

Stamp-ids should have a short life-span.

I think only valid more or less while they're actually moving from
server to server (including forwarding servers) but that requires
thought also.

I realize mail can be in transit perhaps about three days, or maybe
worst-case three days per hop. Ok absolute worst case is something
like 16 hops @ 3 days per hop, 48 days, but how common is that and
does it need to be covered?

But one only has to cover the 99% case not the outliers (another TBD,
what to do in those cases? How rare are they? Must all ids have the
same life span or can a sender anticipate slow paths?)

Assuming they have a short life span and a spammer can't generate
them, only copy them, how many valid stamp-ids could a spammer have
access to?

Interesting and crucial questions.

But the important point is that the failure mode isn't very serious,
some spam. If it works 99% of the time or even 95% that should be a
major improvement.

Particularly if it:

a) Improves detection: Hey IP x.y.z.w is sending fraudulent stamps!

b) Is likely to be punished.

c) Creates an economy around this enforcement (postage income.)

I think (c) is why it could work. Sometimes you just have to send out
the flatfoots, but first you have to be able to pay the flatfoots.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Seth
2013-03-18 20:09:05 UTC
Permalink
Post by John Levine
Post by Barry Shein
Verification of a stamp wouldn't have to be much different from a DNS
query. "Is the following n-tuple (perhaps source plus stamp) valid?",
or likely valid would be far better than what we have now.
Oh, OK. So you give me one stamp, and I use it on 100,000,000 million
pieces of mail, each of which verifies. Seems reasonable.
It's a distributed system with less-than-perfect real-time replication.
So maybe 8 or 10 of them verify before every server knows the stamp is
used.

Seth
John Levine
2013-03-18 22:33:09 UTC
Permalink
Post by Seth
Post by John Levine
Post by Barry Shein
Verification of a stamp wouldn't have to be much different from a DNS
query. "Is the following n-tuple (perhaps source plus stamp) valid?",
or likely valid would be far better than what we have now.
Oh, OK. So you give me one stamp, and I use it on 100,000,000 million
pieces of mail, each of which verifies. Seems reasonable.
It's a distributed system with less-than-perfect real-time replication.
So maybe 8 or 10 of them verify before every server knows the stamp is
used.
I don't think the scale works. Most payment systems are designed with
the assumption that most transactions will succeed, with failed ones
relatively uncommon. In the e-postage world where 90% of the mail is
spam, I'd expect 90% of the stamps to be double spent.

This also has the adverse selection problem, it encourages phishing,
fake drugs, and other high value spammers who figure that it's just
a cost of doing business. Or they set up the First Very Authentic
E-Postage Bank of Nigeria, and debase the currency.
Bart Schaefer
2013-03-18 23:11:37 UTC
Permalink
On Mar 18, 10:33pm, John Levine wrote:
}
} This also has the adverse selection problem, it encourages phishing,
} fake drugs, and other high value spammers who figure that it's just
} a cost of doing business. Or they set up the First Very Authentic
} E-Postage Bank of Nigeria, and debase the currency.

This is one reason the POSTAGE draft required that the receiver advertise
the banks it would accept, and the sender had to pick one of those.

http://tools.ietf.org/id/draft-irtf-asrg-postage-00.txt
Barry Shein
2013-03-19 00:28:43 UTC
Permalink
Post by John Levine
Post by Seth
Post by John Levine
Post by Barry Shein
Verification of a stamp wouldn't have to be much different from a DNS
query. "Is the following n-tuple (perhaps source plus stamp) valid?",
or likely valid would be far better than what we have now.
Oh, OK. So you give me one stamp, and I use it on 100,000,000 million
pieces of mail, each of which verifies. Seems reasonable.
It's a distributed system with less-than-perfect real-time replication.
So maybe 8 or 10 of them verify before every server knows the stamp is
used.
I don't think the scale works. Most payment systems are designed with
the assumption that most transactions will succeed, with failed ones
relatively uncommon. In the e-postage world where 90% of the mail is
spam, I'd expect 90% of the stamps to be double spent.
How about an 2-tuple of (sender,stamp)?
Post by John Levine
This also has the adverse selection problem, it encourages phishing,
fake drugs, and other high value spammers who figure that it's just
a cost of doing business. Or they set up the First Very Authentic
E-Postage Bank of Nigeria, and debase the currency.
They could, but people would have to accept it.

They might.

But then again, in the described scheme, as a recipient there's no
reason to honor e-postage at all except as a way to avoid spam, so why
bother?

I suppose the E-Postage Bank of Nigeria could try to improve its
reputation and make itself an acceptable but cheaper alternative.

Nothing inherently wrong with that, marketplace competition.

It reminds me of certificate authorities, easier said than done.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Seth
2013-03-19 02:35:43 UTC
Permalink
Post by John Levine
Post by Seth
It's a distributed system with less-than-perfect real-time replication.
So maybe 8 or 10 of them verify before every server knows the stamp is
used.
I don't think the scale works. Most payment systems are designed with
the assumption that most transactions will succeed, with failed ones
relatively uncommon. In the e-postage world where 90% of the mail is
spam, I'd expect 90% of the stamps to be double spent.
If the spammers get hold of every legitimate stamp and re-use it, 8/9 of
spam is still stopped. If they double-use their own stamps, their costs
for stamps are halved; the business still doesn't work.
Post by John Levine
This also has the adverse selection problem, it encourages phishing,
fake drugs, and other high value spammers who figure that it's just
a cost of doing business. Or they set up the First Very Authentic
E-Postage Bank of Nigeria, and debase the currency.
Why would any ISP consider that bank valid?

Seth
John Levine
2013-03-19 02:56:58 UTC
Permalink
Post by Seth
Post by John Levine
I don't think the scale works. Most payment systems are designed with
the assumption that most transactions will succeed, with failed ones
relatively uncommon. In the e-postage world where 90% of the mail is
spam, I'd expect 90% of the stamps to be double spent.
If the spammers get hold of every legitimate stamp and re-use it, 8/9 of
spam is still stopped. If they double-use their own stamps, their costs
for stamps are halved; the business still doesn't work.
I'm not explaining this very well. Look at my paper, it explains why it
is extremely unlikely that one could build a stamp system that could cover
its costs for anything that people are likely to pay, particularly if
the majority of the transactions are rejected so there's no revenue.
Post by Seth
Post by John Levine
This also has the adverse selection problem, it encourages phishing,
fake drugs, and other high value spammers who figure that it's just
a cost of doing business. Or they set up the First Very Authentic
E-Postage Bank of Nigeria, and debase the currency.
Why would any ISP consider that bank valid?
Unless you expect the world of e-mail to break up into regional walled
gardens, there'd need to be clearinghouses to connect the ISPs to the
issuers, analogous to what Master Card and Visa do for credit cards,
or SWIFT and the domestic ACH system do for bank transfers. The
FVAE-PBN doesn't have to persuade ISPs that it's valid, it has to
persuade a clearinghouse, and the track record of clearinghouses
ejecting dodgy members is not encouraging.

Do read the whitepaper, it's remarkably un-stale considering that I
wrote it ten years ago.
Rob McEwen
2013-03-17 03:17:35 UTC
Permalink
essentially its a reputation system. To send an email you need to
attach a stamp. if that stamp is successfully received it gives the
sender a new stamp so he can send another email.
It seems to me that if the industry would do the following:

(1) get strongly behind *requiring* FCrDNS for IPs sending
NON-authenticated mail (i.e. "last external" MTA)

(2) and ESPECIALLY make that a *requirement* for NON-authenticated IPv6
e-mail

(3) Then solve the HUGE HUGE HUGE HUGE and CONSTANTLY UNDER-RATED
problem of overabundance of mail-sending IPv6 addresses (a spammer's
dream as they never run out of new fresh IPs, and can send each e-mail
from a DIFFERENT IP address!) ...we could solve that problem... by
simply making it an industry standard to block ALL NON-authenticated
IPv6 mail that doesn't originate from one single designated (as in
"standardized") "root" IP per /48 block. (or, make it even MORE
scarce... like one designated IP per /36 block? other?)... this would be
the equivalent of blocking all NON-authenticated IPv4 mail that isn't
sent from an IP ending in ".0"... sort of like that, except far more
strict. IPv6 mail-sending is still youthful enough to where it isn't too
late to get behind this idea... but time is running out!

...those won't be a magic cure... would go a long way towards helping to
solve the spam problem... and these suggestions ARE feasible because
they (A) use existing technologies, and (B) in the case of FCrDN,
involve already existing "best practices".

NOTE: I specified "NON-authenticated mail" because I'm making the point
that ANY ip address can still password-authenticate to an MTA for that
MTA to then send the message on their behalf. These ideas don't impact
THAT part at all... so your toaster or watch or car or whatever can
STILL send an e-mail to you via smtp-authentication via ANY IP (as long
as it uses a valid SMTP mail server and doesn't try to send directly,
like a botnet would do.)
--
Rob McEwen
http://dnsbl.invaluement.com/
***@invaluement.com
+1 (478) 475-9032
Rob McEwen
2013-03-17 03:47:54 UTC
Permalink
Furthermore...what I'm suggesting below (NOT "e-postage stamps"... but
my suggestion for a solution I inserted into this discussion) ...is
basically ALREADY happening industry-wide for "no rDNS"... MANY large
ISPs outright block on "no rDNS" alone! Therefore, I see my suggestions
below as really just a VERY NATURAL progression of what is ALREADY
happening in the industry for "no rDNS" (aka "no PTR record"). That is
my rebutal to anyone who would (mistakenly!) consider my suggestion as
just another unrealistic and outlandish and impossible "FUSSP" (SEE:
http://www.rhyolite.com/anti-spam/you-might-be.html). This is in
contrast to the "e-postage stamps" suggestion... which does have some of
the problems lampooned on the "FUSSP" page.

Rob McEwen
Post by Rob McEwen
(1) get strongly behind *requiring* FCrDNS for IPs sending
NON-authenticated mail (i.e. "last external" MTA)
(2) and ESPECIALLY make that a *requirement* for NON-authenticated IPv6
e-mail
(3) Then solve the HUGE HUGE HUGE HUGE and CONSTANTLY UNDER-RATED
problem of overabundance of mail-sending IPv6 addresses (a spammer's
dream as they never run out of new fresh IPs, and can send each e-mail
from a DIFFERENT IP address!) ...we could solve that problem... by
simply making it an industry standard to block ALL NON-authenticated
IPv6 mail that doesn't originate from one single designated (as in
"standardized") "root" IP per /48 block. (or, make it even MORE
scarce... like one designated IP per /36 block? other?)... this would be
the equivalent of blocking all NON-authenticated IPv4 mail that isn't
sent from an IP ending in ".0"... sort of like that, except far more
strict. IPv6 mail-sending is still youthful enough to where it isn't too
late to get behind this idea... but time is running out!
...those won't be a magic cure... would go a long way towards helping to
solve the spam problem... and these suggestions ARE feasible because
they (A) use existing technologies, and (B) in the case of FCrDN,
involve already existing "best practices".
NOTE: I specified "NON-authenticated mail" because I'm making the point
that ANY ip address can still password-authenticate to an MTA for that
MTA to then send the message on their behalf. These ideas don't impact
THAT part at all... so your toaster or watch or car or whatever can
STILL send an e-mail to you via smtp-authentication via ANY IP (as long
as it uses a valid SMTP mail server and doesn't try to send directly,
like a botnet would do.)
--
Rob McEwen
http://dnsbl.invaluement.com/
***@invaluement.com
+1 (478) 475-9032
Franck Martin
2013-03-17 05:09:30 UTC
Permalink
----- Original Message -----
Sent: Saturday, March 16, 2013 8:47:54 PM
Subject: Re: e-postage stamps, was Welcome to the new(ish) ASRG list
Furthermore...what I'm suggesting below (NOT "e-postage stamps"... but
my suggestion for a solution I inserted into this discussion) ...is
basically ALREADY happening industry-wide for "no rDNS"... MANY large
ISPs outright block on "no rDNS" alone!
I'm all for outright blocking on no rDNS but who are these large ISPs?
Rob McEwen
2013-03-17 05:42:58 UTC
Permalink
Post by Franck Martin
I'm all for outright blocking on no rDNS but who are these large ISPs?
I don't have a list off the top of my head... but I did have a friend
who is an IT guy at a company and where the made some changes to their
firewall just two weeks ago... which mistakenly caused their exchange
server's outbound IP to switch to an IP that didn't have rDNS.
Immediately, there were massive numbers of outbound messages blocked
across many recipients, including some large ISPs. I didn't make a list,
but he said, "we're being blocked by this and that"... and I recall
hearing some "household names". (Also, this wasn't totally scientific
since you could argue that their IP being "new" might have factored into
the mix... but they were NOT sending ANY spam at that time!)

Also, I recall a person high up at Cox Communications saying that they
block on "no rDNS", fwiw.
--
Rob McEwen
http://dnsbl.invaluement.com/
***@invaluement.com
+1 (478) 475-9032
Roger B.A. Klorese
2013-03-17 05:46:30 UTC
Permalink
Post by Rob McEwen
Post by Franck Martin
I'm all for outright blocking on no rDNS but who are these large ISPs?
I don't have a list off the top of my head... but I did have a friend
who is an IT guy at a company and where the made some changes to their
firewall just two weeks ago... which mistakenly caused their exchange
server's outbound IP to switch to an IP that didn't have rDNS.
Immediately, there were massive numbers of outbound messages blocked
across many recipients, including some large ISPs. I didn't make a list,
but he said, "we're being blocked by this and that"... and I recall
hearing some "household names". (Also, this wasn't totally scientific
since you could argue that their IP being "new" might have factored into
the mix... but they were NOT sending ANY spam at that time!)
Also, I recall a person high up at Cox Communications saying that they
block on "no rDNS", fwiw.
Yahoo, AOL, Cox, and Comcast all block on the combination of any
significant volume and no rDNS.
Franck Martin
2013-03-17 05:51:19 UTC
Permalink
----- Original Message -----
Sent: Saturday, March 16, 2013 10:46:30 PM
Subject: Re: e-postage stamps, was Welcome to the new(ish) ASRG list
Post by Rob McEwen
Post by Franck Martin
I'm all for outright blocking on no rDNS but who are these large ISPs?
I don't have a list off the top of my head... but I did have a friend
who is an IT guy at a company and where the made some changes to their
firewall just two weeks ago... which mistakenly caused their
exchange
server's outbound IP to switch to an IP that didn't have rDNS.
Immediately, there were massive numbers of outbound messages
blocked
across many recipients, including some large ISPs. I didn't make a list,
but he said, "we're being blocked by this and that"... and I recall
hearing some "household names". (Also, this wasn't totally
scientific
since you could argue that their IP being "new" might have factored into
the mix... but they were NOT sending ANY spam at that time!)
Also, I recall a person high up at Cox Communications saying that they
block on "no rDNS", fwiw.
Yahoo, AOL, Cox, and Comcast all block on the combination of any
significant volume and no rDNS.
From that list I know that Yahoo and AOL do not outright block if there is no rDNS and only Comcast does. I don't know about Cox.
So once again who are these Many ISPs that outright block on no rDNS?
Rob McEwen
2013-03-17 06:07:02 UTC
Permalink
Post by Franck Martin
So once again who are these Many ISPs that outright block on no rDNS?
Tell you what... try it out for your own organization's email just for
one day... and see what an absolutely fabulous day is in store for you! :)

PS - of the ones that don't outright block on "no rDNS"... many of the
rest score just a hair below threshhold... making the tiniest things
push a message "over the top"
--
Rob McEwen
http://dnsbl.invaluement.com/
***@invaluement.com
+1 (478) 475-9032
Franck Martin
2013-03-17 06:12:38 UTC
Permalink
----- Original Message -----
Sent: Saturday, March 16, 2013 11:07:02 PM
Subject: Re: e-postage stamps, was Welcome to the new(ish) ASRG list
Post by Franck Martin
So once again who are these Many ISPs that outright block on no rDNS?
Tell you what... try it out for your own organization's email just for
one day... and see what an absolutely fabulous day is in store for you! :)
Why don't you ask the friend of your friend to give us this list and then cross check it yourself?

This list requires data not "I have heard somewhere..."
Rob McEwen
2013-03-17 06:31:23 UTC
Permalink
Post by Franck Martin
Why don't you ask the friend of your friend to give us this list and then cross check it yourself?
This list requires data not "I have heard somewhere..."
It isn't a "friend of a friend". This is my own personal friend
directly... who explained this situation to me over the phone as he was
watching the rejections in real time... where he was getting me to talk
him through fixing his problem and explaining the symptoms to me as it
was happening. Sorry that I didn't write down the actual domain names.

The situation with a Cox Communications person was Alex Marinkovic,
answering an e-mail I had sent him... with an e-mail he sent directly to
me. At the time of his answer, he was "Responsible for the design and
implementation of all anti-spam/anti-virus systems for the Cox High
Speed Internet service." to quote from his linked-in page. (Right now,
I'm actually looking at the e-mail he sent me, dated 8/9/2011 4:58 PM...
would you like for me to forward that to you off-list?)

We're getting buried in minutia. You've already admitted that Comcast
does this. I've established that Cox does, too. I'm certain that those
are not the only large ISPs that do this. BUT THAT IS BESIDES THE POINT...

...the point is that, as a result of enough recipients' mail systems
require an rDNS... that the industry, across-the-board, now has a
commonly accepted "industry standard" that mail sending IPs (a) should
have an rDNS, and (b) of the ones that don't, they often get blocked,
and it is then considered the sender's fault.

knit-pick minutia if you like... but neither yours or my opinion doesn't
change the fact that if an ESP or ISP today hired a CTO who ordered the
deletion of the rDNS entries for their sending IPs and fought vigorously
to keep it that way... that person wouldn't last in their job more than
a week.. probably not more than a day.
--
Rob McEwen
http://dnsbl.invaluement.com/
***@invaluement.com
+1 (478) 475-9032
Brendan Hide
2013-03-17 08:28:15 UTC
Permalink
I work for an ISP and we've had to deal with issues like this in the
past. We reject on bad rDNS and other ISPs in our region do the same.

At least when our dedicated-server customers have this problem, the
rejection messages are usually explicit enough that little to no
troubleshooting is required. :)

The point however:
Even if only 20% of ISPs reject mail, it would be unprofessional (stupid
perhaps? insert appropriate insults here) to allow a likely 20% of
outbound mail to go undelivered due to a silly misconfiguration.
Therefore, most ISPs already have their reverse records configured
correctly.
Post by Rob McEwen
Post by Franck Martin
Why don't you ask the friend of your friend to give us this list and then cross check it yourself?
This list requires data not "I have heard somewhere..."
It isn't a "friend of a friend". This is my own personal friend
directly... who explained this situation to me over the phone as he was
watching the rejections in real time... where he was getting me to talk
him through fixing his problem and explaining the symptoms to me as it
was happening. Sorry that I didn't write down the actual domain names.
The situation with a Cox Communications person was Alex Marinkovic,
answering an e-mail I had sent him... with an e-mail he sent directly to
me. At the time of his answer, he was "Responsible for the design and
implementation of all anti-spam/anti-virus systems for the Cox High
Speed Internet service." to quote from his linked-in page. (Right now,
I'm actually looking at the e-mail he sent me, dated 8/9/2011 4:58 PM...
would you like for me to forward that to you off-list?)
We're getting buried in minutia. You've already admitted that Comcast
does this. I've established that Cox does, too. I'm certain that those
are not the only large ISPs that do this. BUT THAT IS BESIDES THE POINT...
...the point is that, as a result of enough recipients' mail systems
require an rDNS... that the industry, across-the-board, now has a
commonly accepted "industry standard" that mail sending IPs (a) should
have an rDNS, and (b) of the ones that don't, they often get blocked,
and it is then considered the sender's fault.
knit-pick minutia if you like... but neither yours or my opinion doesn't
change the fact that if an ESP or ISP today hired a CTO who ordered the
deletion of the rDNS entries for their sending IPs and fought vigorously
to keep it that way... that person wouldn't last in their job more than
a week.. probably not more than a day.
--
__________
Brendan Hide
http://swiftspirit.co.za/
http://www.webafrica.co.za/?AFF1E97
Barry Shein
2013-03-17 17:52:35 UTC
Permalink
We block noRDNS at World and rarely have a complaint, I'd say less
than once a year. And when we do we usually refer the person to the
site w/o RDNS and it gets cleared up there.

About the biggest problem that comes up, rarely, is some big ISP like
a telco's rdns service goes down or something so a bunch of email gets
rejected for a few minutes or whatever. Some respond reasonably to a
temporary fail, some not so much.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Bill Cole
2013-03-19 04:53:46 UTC
Permalink
Post by Franck Martin
So once again who are these Many ISPs that outright block on no rDNS?
My employer isn't exactly an ISP, but we provide outsourced email for
SMB's and reject mail from IP's with no rDNS. No exceptions. Appeals
from senders or customers are very rare, and none has required careful
thought in my 4+ years there. When last I looked at the numbers, there
was no doubt that the garbage being rejected pre-DATA was enough to
justify the policy and the possible false positives were statistically
equivalent to zero. Of course there are degrees of "no rDNS" that get
treated differently, but that should be obvious. Possibly transient DNS
failures are distinguishable from NXDOMAIN replies, and perfectly match
the design justification for SMTP 4xx replies.

Beyond ISPs and ISP-like entities, the long tail of corporate mail
servers is rich with systems rejecting mail offered by IP's that yield
NXDOMAIN to a PTR query, and they often have no useful route of appeal
for deliverability problems. Config rejecting mail from nameless IP's
(i.e. Postfix's reject_unknown_reverse_client_hostname, Sendmail's
require_rdns, etc.) has become part of the canon of anti-spam advice for
good reasons (it blocks a respectable pile of spam, it's cheap, and it
has very low FPs) and many mail systems run on autopilot after the
deployment of such advice until they noticeably break. A sender using
nameless IP's may well get not be blocked or dropped by half of the big
freemailers and 3/4 of the largest consumer access providers, but below
that scale run into a brick wall.
Barry Shein
2013-03-17 17:47:52 UTC
Permalink
I think spam is more of an issue than ever.

Although we've solved some of the pragmatic problems with better
filters so it takes up less human time trust is still a huge issue.

I get email from what seems to be one of my banks or other vendors and
unless I'm expecting it and it's highly unlikely someone would manage
to fraud the context of the mail I generally delete it w/o reading it
because I can't be bothered figuring out if it's phony or not.

The very idea that vendors with legitimate business relationships
should be allowed to get thru to you is dying under the weight of spam
and phishing etc.

Yet it's often the vendors' only "push" technology.

For example to tell you there have been multiple failed attempts to
log into your bank account -- not sure what your reaction should be,
THE SHIELDS ARE HOLDIN' CAP'N!, but a bank generally considers that
sort of thing noteworthy.

The vendors should be more concerned.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Chris
2013-03-17 04:59:32 UTC
Permalink
haha so am I a member of the fussp brigade?

Sadly anything IP based is never going to work. I firmly believe the fix
will have to be transport and law agnostic.
Changing the transport system is just too hard and with all hard things they
become very brittle.


Regards
Chris
Post by Rob McEwen
essentially its a reputation system. To send an email you need to
attach a stamp. if that stamp is successfully received it gives the
sender a new stamp so he can send another email.
(1) get strongly behind *requiring* FCrDNS for IPs sending
NON-authenticated mail (i.e. "last external" MTA)
(2) and ESPECIALLY make that a *requirement* for NON-authenticated IPv6
e-mail
(3) Then solve the HUGE HUGE HUGE HUGE and CONSTANTLY UNDER-RATED
problem of overabundance of mail-sending IPv6 addresses (a spammer's
dream as they never run out of new fresh IPs, and can send each e-mail
from a DIFFERENT IP address!) ...we could solve that problem... by
simply making it an industry standard to block ALL NON-authenticated
IPv6 mail that doesn't originate from one single designated (as in
"standardized") "root" IP per /48 block. (or, make it even MORE
scarce... like one designated IP per /36 block? other?)... this would be
the equivalent of blocking all NON-authenticated IPv4 mail that isn't
sent from an IP ending in ".0"... sort of like that, except far more
strict. IPv6 mail-sending is still youthful enough to where it isn't too
late to get behind this idea... but time is running out!
...those won't be a magic cure... would go a long way towards helping to
solve the spam problem... and these suggestions ARE feasible because
they (A) use existing technologies, and (B) in the case of FCrDN,
involve already existing "best practices".
NOTE: I specified "NON-authenticated mail" because I'm making the point
that ANY ip address can still password-authenticate to an MTA for that
MTA to then send the message on their behalf. These ideas don't impact
THAT part at all... so your toaster or watch or car or whatever can
STILL send an e-mail to you via smtp-authentication via ANY IP (as long
as it uses a valid SMTP mail server and doesn't try to send directly,
like a botnet would do.)
Chris Lewis
2013-03-17 18:30:50 UTC
Permalink
Post by Chris
Sadly anything IP based is never going to work.
Really? Never?

That's going to come as a big surprise to a huge hunk of the industry.
The one that already uses IP-based mechanisms as a large part of their
filtering and find it works very well thank you very much.
Roger B.A. Klorese
2013-03-17 04:48:07 UTC
Permalink
Post by Rob McEwen
(1) get strongly behind *requiring* FCrDNS for IPs sending
NON-authenticated mail (i.e. "last external" MTA)
I fail to see any way in which this adds legitimacy, as long as the rDNS
is legitimate. And in the case of my non-profit discussion and
announcement server, from which we deliver on behalf of 80+
organizations, the cost of 80+ IP addresses, and the need to support 80+
virtual interfaces (and throttle simultaneous sending behavior on them)
would probably put us under.
Rob McEwen
2013-03-17 05:36:26 UTC
Permalink
Post by Roger B.A. Klorese
Post by Rob McEwen
(1) get strongly behind *requiring* FCrDNS for IPs sending
NON-authenticated mail (i.e. "last external" MTA)
I fail to see any way in which this adds legitimacy, as long as the
rDNS is legitimate. And in the case of my non-profit discussion and
announcement server, from which we deliver on behalf of 80+
organizations, the cost of 80+ IP addresses, and the need to support
80+ virtual interfaces (and throttle simultaneous sending behavior on
them) would probably put us under.
Chris,

I think you're reading into this more requirements than what I
suggested. First, FCrDNS ensures that the rDNS is transparent or honest
(keeping in mind that an "honest" spammer could still send spam through
such IPs!). Also, who said anything about any kind of requirement that
the FCrDNS must match the domain in the "from" address? instead, if is
more important that it properly represents YOU as the valid sending
agent for these 80+ organizations. Then, all you need is one IP, and one
host name. Ultimately, YOU are singularly responsible for what comes
from YOUR ip address! Therefore, it makes sense for the rDNS to
represent your domain name, not your client's domains.

PS - I should have added to my original short of list of suggestions...
one more thing... that there be an industry standard for what
constitutes the formatting of an ISP's dynamically assigned IP. There
already is sort of a general common pattern for this for IPv4 where lots
of hypens and dots to the left of the domain name in the rDNS indicate a
dynamic IP... this is such a common pattern in IPv4 that some anti-spam
plugins actually add points to the spam score based on this. Yet, still,
many break this rule in IPv4. But perhaps it isn't too late for IPv6 to
come up with some kind of standard rDNS formatting for dynamic-assigned
IPs vs mail-sending IPs. (I would guess that this is already taking
shape just from following IPv4's lead, even if not officially so.)
Certainly, if... 15 years ago... all of us had a discussion about IPv4
rDNS formatting... and had there been a movement towards blocking ALL
IPs that had lost of hypens and dashes to the left of the domain name in
the rDNS... then blocking botnet spam would have been MUCH easier all
these years... and MUCH fewer mail admins would have allowed their rDNS
to be so poorly formatted. So... why not do that with IPv6 EARLY IN THE
PROCESSES? (ADD THIS TO MY EARLIER LIST OF SUGGESTIONS)
--
Rob McEwen
http://dnsbl.invaluement.com/
***@invaluement.com
+1 (478) 475-9032
Roger B.A. Klorese
2013-03-17 05:50:35 UTC
Permalink
Post by Rob McEwen
Chris,
Um, no.
Post by Rob McEwen
I think you're reading into this more requirements than what I
suggested. First, FCrDNS ensures that the rDNS is transparent or honest
(keeping in mind that an "honest" spammer could still send spam through
such IPs!). Also, who said anything about any kind of requirement that
the FCrDNS must match the domain in the "from" address? instead, if is
more important that it properly represents YOU as the valid sending
agent for these 80+ organizations. Then, all you need is one IP, and one
host name. Ultimately, YOU are singularly responsible for what comes
from YOUR ip address! Therefore, it makes sense for the rDNS to
represent your domain name, not your client's domains.
We've received (spectacularly ill-informed) bounces to having the HELO
name and/or the reverse not match the From: domain, and in a few case,
I'm pretty sure, even for not having From_ and From: match...
Rob McEwen
2013-03-17 06:10:43 UTC
Permalink
Post by Roger B.A. Klorese
and/or the reverse not match the From: domain
Then those systems are blocking massive amounts of legit mail because
massive amounts of legit mail is sent from IPs that have a valid rDNS,
yet where the domain in the rDNS doesn't match the "from" address. This
is really silly... many "shared hosting" environments are set up where
the sender (typically a small business hosting a web site there) is
using their hoster's mail server for sending mail.
--
Rob McEwen
http://dnsbl.invaluement.com/
***@invaluement.com
+1 (478) 475-9032
Roger B.A. Klorese
2013-03-17 06:18:38 UTC
Permalink
Post by Rob McEwen
Post by Roger B.A. Klorese
and/or the reverse not match the From: domain
Then those systems are blocking massive amounts of legit mail because
massive amounts of legit mail is sent from IPs that have a valid rDNS,
yet where the domain in the rDNS doesn't match the "from" address. This
is really silly... many "shared hosting" environments are set up where
the sender (typically a small business hosting a web site there) is
using their hoster's mail server for sending mail.
Yes, they do. I've actually in the business, and had a sysadmin tell me
that he got so much flak for letting spam through that he has had to
apply a zero-tolerance approach that causes a lot of legit email not to
get through. Jeez.
Brendan Hide
2013-03-17 08:32:13 UTC
Permalink
Post by Roger B.A. Klorese
Post by Rob McEwen
Post by Roger B.A. Klorese
and/or the reverse not match the From: domain
Then those systems are blocking massive amounts of legit mail because
massive amounts of legit mail is sent from IPs that have a valid rDNS,
yet where the domain in the rDNS doesn't match the "from" address. This
is really silly... many "shared hosting" environments are set up where
the sender (typically a small business hosting a web site there) is
using their hoster's mail server for sending mail.
Yes, they do. I've actually in the business, and had a sysadmin tell
me that he got so much flak for letting spam through that he has had
to apply a zero-tolerance approach that causes a lot of legit email
not to get through. Jeez.
That's incredibly shortsighted of the mentioned sysadmin or his boss.
The only thing worse than getting spam is not getting legit mail. :-/
--
__________
Brendan Hide
http://swiftspirit.co.za/
http://www.webafrica.co.za/?AFF1E97
Barry Shein
2013-03-17 17:54:09 UTC
Permalink
Post by Rob McEwen
Post by Roger B.A. Klorese
and/or the reverse not match the From: domain
Then those systems are blocking massive amounts of legit mail because
massive amounts of legit mail is sent from IPs that have a valid rDNS,
yet where the domain in the rDNS doesn't match the "from" address. This
is really silly... many "shared hosting" environments are set up where
the sender (typically a small business hosting a web site there) is
using their hoster's mail server for sending mail.
Wasn't this problem solved by SpamAssassin's scoring approach, give it
a point or two for this and use a threshold, if there are no other red
flags let it through.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Rob McEwen
2013-03-17 18:18:48 UTC
Permalink
Post by Barry Shein
Post by Rob McEwen
Post by Roger B.A. Klorese
and/or the reverse not match the From: domain
Then those systems are blocking massive amounts of legit mail because
massive amounts of legit mail is sent from IPs that have a valid rDNS,
yet where the domain in the rDNS doesn't match the "from" address. This
is really silly... many "shared hosting" environments are set up where
the sender (typically a small business hosting a web site there) is
using their hoster's mail server for sending mail.
Wasn't this problem solved by SpamAssassin's scoring approach, give it
a point or two for this and use a threshold, if there are no other red
flags let it through.
A typical default SA setup scores about 2 (or more?) points against "no
rDNS". The fact that SA scores against "no rDNS" is common knowledge
within the SA community.

But I don't think that SA scores any points against a message for the
rDNS ending in a domain name that is different from the domain in the
"from" address. If I'm wrong, then THAT score is likely something like
"0.1"... or something negligible like that. I've followed the SA list
for years and I've never heard of any mention of such a test in SA.
--
Rob McEwen
http://dnsbl.invaluement.com/
***@invaluement.com
+1 (478) 475-9032
John Levine
2013-03-17 18:40:54 UTC
Permalink
Post by Rob McEwen
But I don't think that SA scores any points against a message for the
rDNS ending in a domain name that is different from the domain in the
"from" address.
I hope not. People who think that's a good idea might look at the
headers of this message.
--
Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Rob McEwen
2013-03-17 19:12:44 UTC
Permalink
Post by John Levine
Post by Rob McEwen
But I don't think that SA scores any points against a message for the
Post by Rob McEwen
rDNS ending in a domain name that is different from the domain in the
"from" address.
I hope not. People who think that's a good idea might look at the
headers of this message.
To be extra clear, I was not advocating that it do that. I was just
clarifying something based on something someone else had said. I had
also mentioned in another earlier post that there are many valid
situations where the "from" in the e-mail doesn't match the domain in
the rDNS.
--
Rob McEwen
http://dnsbl.invaluement.com/
***@invaluement.com
+1 (478) 475-9032
Barry Shein
2013-03-17 18:54:51 UTC
Permalink
I think you missed my point, my fault.

I just meant instead of outright blocking a mismatch one COULD use a
scheme analagous to SA where they just add some points to total
spamminess score if it doesn't match.

I didn't mean that is current practice by SA necessarily.
Post by Rob McEwen
Post by Barry Shein
Post by Rob McEwen
Post by Roger B.A. Klorese
and/or the reverse not match the From: domain
Then those systems are blocking massive amounts of legit mail because
massive amounts of legit mail is sent from IPs that have a valid rDNS,
yet where the domain in the rDNS doesn't match the "from" address. This
is really silly... many "shared hosting" environments are set up where
the sender (typically a small business hosting a web site there) is
using their hoster's mail server for sending mail.
Wasn't this problem solved by SpamAssassin's scoring approach, give it
a point or two for this and use a threshold, if there are no other red
flags let it through.
A typical default SA setup scores about 2 (or more?) points against "no
rDNS". The fact that SA scores against "no rDNS" is common knowledge
within the SA community.
But I don't think that SA scores any points against a message for the
rDNS ending in a domain name that is different from the domain in the
"from" address. If I'm wrong, then THAT score is likely something like
"0.1"... or something negligible like that. I've followed the SA list
for years and I've never heard of any mention of such a test in SA.
--
Rob McEwen
http://dnsbl.invaluement.com/
+1 (478) 475-9032
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
James Cloos
2013-03-17 22:00:05 UTC
Permalink
BS> I just meant instead of outright blocking a mismatch one COULD use
BS> a scheme analagous to SA where they just add some points to total
BS> spamminess score if it doesn't match.

The various policy daemons tend to do that.

policyd-weight, as an example, has about 20 scoring tests looking at
the remote MTA's PTR, that PTS's A/AAAA, the envelope from and how
they relate to each other. Plus RBL checks.

-JimC
--
James Cloos <***@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
Andrew Sullivan
2013-03-17 21:14:43 UTC
Permalink
Post by Rob McEwen
A typical default SA setup scores about 2 (or more?) points against "no
rDNS". The fact that SA scores against "no rDNS" is common knowledge
within the SA community.
But I don't think that SA scores any points against a message for the
rDNS ending in a domain name that is different from the domain in the
"from" address. If I'm wrong, then THAT score is likely something like
"0.1"... or something negligible like that. I've followed the SA list
for years and I've never heard of any mention of such a test in SA.
Just in case it helps, a number of years ago in a dnsop draft that
died on the order paper I made up terms for these.

The first is "existing reverse mapping", because you check to see
whether the reverse-map query gets an answer.

The second is "matching reverse mapping", because you check to see
whether the forward listing and reverse listing matches. It seems
that not everyone knows this, but it's possible to have multiple PTRs,
and some libraries choke on them, so the matching-test is, IMO, a bad
idea. At least at the time I worked on that draft, however, some
people thought it was important.

Best,

A
--
Andrew Sullivan
***@anvilwalrusden.com
Bill Cole
2013-03-19 05:06:30 UTC
Permalink
Post by Rob McEwen
But I don't think that SA scores any points against a message for the
rDNS ending in a domain name that is different from the domain in the
"from" address. If I'm wrong, then THAT score is likely something like
"0.1"... or something negligible like that. I've followed the SA list
for years and I've never heard of any mention of such a test in SA.
I've been doing site-specific SA tuning for ~7 years: analyzing
frequency, accuracy, and relevance of specific SA rules in reference to
live mail streams. I've never seen such a rule, so I'm fairly sure it
has not existed in that time.
Mikael Abrahamsson
2013-03-18 09:16:36 UTC
Permalink
Post by Rob McEwen
(3) Then solve the HUGE HUGE HUGE HUGE and CONSTANTLY UNDER-RATED
problem of overabundance of mail-sending IPv6 addresses (a spammer's
dream as they never run out of new fresh IPs, and can send each e-mail
from a DIFFERENT IP address!) ...we could solve that problem... by
What needs to happen (would solve multiple problems) is that ISPs need to
announce the "customer allocation size" in something that is scalable, and
then tools need to adapt to this and not treat IPv6 space as 2^128
addresses but instead treat it as "customer blocks" of different sizes,
and do anti-spam handling on these customer block boundaries instead of
per-IP.
--
Mikael Abrahamsson email: ***@swm.pp.se
Paul Smith
2013-03-18 10:04:03 UTC
Permalink
Post by Mikael Abrahamsson
Post by Rob McEwen
(3) Then solve the HUGE HUGE HUGE HUGE and CONSTANTLY UNDER-RATED
problem of overabundance of mail-sending IPv6 addresses (a spammer's
dream as they never run out of new fresh IPs, and can send each e-mail
from a DIFFERENT IP address!) ...we could solve that problem... by
What needs to happen (would solve multiple problems) is that ISPs need
to announce the "customer allocation size" in something that is
scalable, and then tools need to adapt to this and not treat IPv6
space as 2^128 addresses but instead treat it as "customer blocks" of
different sizes, and do anti-spam handling on these customer block
boundaries instead of per-IP.
While that will help, it will mean there are only something like 2^64
'blocks'. This is still a big number...


Surely the answer is to whitelist good servers rather than blacklist bad
servers

There are a lot fewer than 2^128 good mail servers in the world.

So, something similar to dnswl.org, possibly


-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
Mikael Abrahamsson
2013-03-18 10:13:22 UTC
Permalink
Post by Paul Smith
While that will help, it will mean there are only something like 2^64
'blocks'. This is still a big number...
Well, depending on customer type, it's 2^64 or 2^56 or 2^48.
Post by Paul Smith
Surely the answer is to whitelist good servers rather than blacklist bad
servers
How do I end up on the whitelist?
--
Mikael Abrahamsson email: ***@swm.pp.se
Paul Smith
2013-03-18 10:23:43 UTC
Permalink
Post by Mikael Abrahamsson
Post by Paul Smith
Surely the answer is to whitelist good servers rather than blacklist
bad servers
How do I end up on the whitelist?
You ask to be on it.

The way I'd do it would be to charge people, say, $10 per year per MTA
IP address to be on the whitelist (to fund the WL DNS servers)

This won't affect legitimate users much as it would only affect those
with the "final" MTA, so mostly ISPs, and businesses with their own MTAs.

However, botnet owners are unlikely to pay $10 per bot IP address, and
anyone using an entire /64 IPv6 range for spamming is going to have a
big bill.

If an IP address spams a lot, then you remove it, and the owner has to
reapply to be on the whitelist (possibly paying more if this happens
frequently)




-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
Matthias Leisi
2013-03-18 12:59:45 UTC
Permalink
[Disclosure: I'm involved with dnswl.org]
Post by Paul Smith
Surely the answer is to whitelist good servers rather than blacklist bad
Post by Mikael Abrahamsson
Post by Chris
servers
How do I end up on the whitelist?
You ask to be on it.
The way I'd do it would be to charge people, say, $10 per year per MTA IP
address to be on the whitelist (to fund the WL DNS servers)
Paying to be on a whitelist creates detrimental incentives for the list
operator by creating conflicts of interest (list quality vs commercial
incentives).

Paying to use for the whitelist data ("rsync download" etc) is largely free
of such conflicts of interest and is thus preferrable (although it vastly
limits the commercial appeal of any such system).
Post by Paul Smith
This won't affect legitimate users much as it would only affect those with
the "final" MTA, so mostly ISPs, and businesses with their own MTAs.
To avoid central control, the system needs to be open with multiple
organisations providing whitelisting services. Would a sender need to pay
for each (widely used) such service?

If an IP address spams a lot, then you remove it, and the owner has to
Post by Paul Smith
reapply to be on the whitelist (possibly paying more if this happens
frequently)
How do you identify the "same owner"? This again creates an introduction
problem.

Not unexepectedly, I believe that whitelisting can play a greater role in
the box of antispam tools in an IPv6 world than it plays in IPv4. I'm also
realistic about its limits.

-- Matthias
John Levine
2013-03-18 16:19:17 UTC
Permalink
Post by Mikael Abrahamsson
Post by Paul Smith
While that will help, it will mean there are only something like 2^64
'blocks'. This is still a big number...
Well, depending on customer type, it's 2^64 or 2^56 or 2^48.
There are hosting companies handing out individual IPv6 addresses to
customers. You don't have to tell me what a bad idea this is, but they
claim they're stuck with it due to some characteristic of the networking
hardware they bought. (A counter-argument, of course, is that your poor
business decisions are not my problem, and if you don't want your whole
datacenter blocked every time a customer leaks spam, you better figure out
how to fix that and give a /64 to each customer.)
Post by Mikael Abrahamsson
How do I end up on the whitelist?
That's the introduction problem. It's older than the spam problem,
and equally unsolved.
--
Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Brendan Hide
2013-03-18 17:14:39 UTC
Permalink
Post by John Levine
There are hosting companies handing out individual IPv6 addresses to
customers. You don't have to tell me what a bad idea this is, but they
claim they're stuck with it due to some characteristic of the
networking hardware they bought. (A counter-argument, of course, is
that your poor business decisions are not my problem, and if you don't
want your whole datacenter blocked every time a customer leaks spam,
you better figure out how to fix that and give a /64 to each customer.)
The general solution for "dialup" (adsl/etc) accounts is to disallow
traffic going outside the network to port 25 and to provide a
centralised mail gateway service.

I see no reason this can't be done in a hosting environment as well.
--
__________
Brendan Hide
http://swiftspirit.co.za/
http://www.webafrica.co.za/?AFF1E97
John R. Levine
2013-03-18 17:19:00 UTC
Permalink
The general solution for "dialup" (adsl/etc) accounts is to disallow traffic
going outside the network to port 25 and to provide a centralised mail
gateway service.
I see no reason this can't be done in a hosting environment as well.
There are certainly hosting companies that do that. I get buckets of spam
from 1&1/perfora, all via a few smarthosts. It's extremely annoying,
because there is enough real mail through those hosts that I can't block
them completely.

Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Neil Schwartzman
2013-03-18 17:26:26 UTC
Permalink
the point, in some cases, at hosting companies is to be able to operate your own mail server.
There are hosting companies handing out individual IPv6 addresses to customers. You don't have to tell me what a bad idea this is, but they claim they're stuck with it due to some characteristic of the networking hardware they bought. (A counter-argument, of course, is that your poor business decisions are not my problem, and if you don't want your whole datacenter blocked every time a customer leaks spam, you better figure out how to fix that and give a /64 to each customer.)
The general solution for "dialup" (adsl/etc) accounts is to disallow traffic going outside the network to port 25 and to provide a centralised mail gateway service.
I see no reason this can't be done in a hosting environment as well.
--
__________
Brendan Hide
http://swiftspirit.co.za/
http://www.webafrica.co.za/?AFF1E97
Matthias Leisi
2013-03-18 12:50:30 UTC
Permalink
Post by Mikael Abrahamsson
What needs to happen (would solve multiple problems) is that ISPs need to
announce the "customer allocation size" in something that is scalable, and
then tools need to adapt to this and not treat IPv6 space as 2^128
addresses but instead treat it as "customer blocks" of different sizes, and
do anti-spam handling on these customer block boundaries instead of per-IP.
Agreed in so far as a scalably published allocation size makes IP-based
reputation management easier. I would not fall back to /128 addresses by
default, but possibly to some reasonable allocation, eg /64?

I played around with some local experiments of such a scheme. While the
technical results are not worth sharing (just a bunch of ugly Perl
scripts), it became obvious that this will not match the simplicity/low
complexity of IPv4 DNSxLs defaulting to /32. The application logic will
become more complex, while the DNS logic[*] does not need to change.

-- Matthias

[*] Assuming DNS as a transport protocol; there may be better alternatives
if we need to touch "everything", but I'm not aware of any.
Franck Martin
2013-03-17 05:15:44 UTC
Permalink
I was looking at why this list did not have anymore the [ASRG] tag in the subject line, then I realized it does not have a footer either.

It means this list keeps the author DKIM signing.

Awesome!

----- Original Message -----
From: "John R. Levine" <***@iecc.com>
To: "Anti Spam Research Group" <***@lists.gurus.org>
Sent: Saturday, March 16, 2013 3:02:45 PM
Subject: Welcome to the new(ish) ASRG list

You should recently have gotten a welcome to the new ASRG list.

A few administrative details:
John R. Levine
2013-03-17 05:28:21 UTC
Permalink
Post by Franck Martin
I was looking at why this list did not have anymore the [ASRG] tag in the subject line, then I realized it does not have a footer either.
It means this list keeps the author DKIM signing.
It does all sorts of other stuff to message bodies and deletes incoming
DKIM signatures, so, um, no.

The list software does add its own DKIM signature, which is what matters.

R's,
JOhn
Franck Martin
2013-03-17 05:37:53 UTC
Permalink
I saw the iecc.com DKIM signature with a pass together with the lists.gurus.org DKIM

Printed on recycled paper!
Post by Franck Martin
I was looking at why this list did not have anymore the [ASRG] tag in the subject line, then I realized it does not have a footer either.
It means this list keeps the author DKIM signing.
It does all sorts of other stuff to message bodies and deletes incoming DKIM signatures, so, um, no.
The list software does add its own DKIM signature, which is what matters.
R's,
JOhn
Brendan Hide
2013-03-17 21:24:30 UTC
Permalink
The premise of charging to send mail is still counter to reality. People are used to the idea of email being free except for the obvious part of Internet access.

Botnets will send email for free no matter who you send the bill to.
End users will fight tooth and nail to keep email 'free'.
Post by John Levine
Post by Barry Shein
Post by John R. Levine
Um, because we talk to them, and have a pretty good idea how much a
micropayment system that has to handle billions of transactions a day
would cost?
So 5 or so years ago you would've valued their opinion on whether they
would ever advertise on a social network?
Huh?
Running a transaction system that has to handle billions of
transactions a day is a notably unsolved problem, and not for lack of
trying.  The synchronization required to deter double spending of
coins or stamps or whatever you want to call them is inherently very
difficult.
Which basically pits the best as the enemy of the good.

But it's a valid point.

Which is why I suggested a verification system analogous to SPF for
example.
Post by John Levine
On the other hand, if we're allowed to wave our hands and assert that
it exists, please assert me a rainbow pony at the same time.
Asking a question and then answering it doesn't seem constructive.
Post by John Levine
Post by Barry Shein
As to billions of transactions what about the DNS system? Can't
possibly work?
Please don't tell me that it's news to you that the DNS is read-only.
Verification of a stamp wouldn't have to be much different from a DNS
query. "Is the following n-tuple (perhaps source plus stamp) valid?",
or likely valid would be far better than what we have now.

A server would know, for example, that every stamp coming out of an
AT&T IP block has to have certain cryptographic characteristics, and
the same coming out of some other block would be invalid. Etc.

Hey, that's engineering and it doesn't have to be mathematically
perfect to achieve its goal.

But most importantly it could potentially create an economy to go
after counterfeiters, or block them more effectively.

One thing I've said for many years is that what anti-spam activity
lacks is much any economy, beyond appliances and similar which is good
but not that universal.

As an analogy, you COULD set up your own root server and sell your own
domains, do alternative DNS. But beyond some point ICANN would come
down on you like white on rice, as they have in the past.

Why? Because unlike anti-spam ICANN (et al) has a billion dollar
industry and maybe $150M/year in revenue directly to them to protect.

That should be the real goal IMHO, how do we create or encourage an
effective economics to combat spam?
Post by John Levine
Post by Barry Shein
For example given a cryptographic stamp and an ISP's motivation the
ISP could verify each outgoing stamp used by a customer before letting
it out since in theory they're the ones who issued those stamps, much
like they might issue IP addresses and block any originating from w/in
their network which isn't part of their re-delegation blocks.
You're describing rate limiting outgoing mail from a network's own
hosts.  It's not a bad idea, lots of ISPs do it, and it doesn't
require stamps.
No because the RECIPIENT also wants to see that stamp once it passes
the ISP.

The ISP checking would only be optional, smaller concerns such as
companies wouldn't be obliged to check anything, only the recipient
really has an interest in checking beyond scaling considerations some
big ISPs and similar might have.

I might for example choose to accept some valid stamps and not others,
again depending on the n-tuple.

But the point is mail would have to have a valid stamp to get thru
sites which choose to participate (one wouldn't have to) which beyond
some pre-allocated limit (TBD) would have to be bought.

Since spammers have to send out literally billions of spam emails per
day to be economically effective it potentially turns that equation in
favor of the honest user without, potentially, over-burdening even a
site which legitimately sends millions of email msgs.

I'd guess wildly and for discussion's sake that a price like
$100/million would be acceptable as a cost of doing business to, e.g.,
Amazon, particularly if they saw some value to them, but unworkable
for spammers.

I think our estimate of top spammers is on the order of a billion msgs
sent per day per each? That would be $1,000/day, I don't think they
have that kind of economics.
--
        -Barry Shein

The World              | ***@TheWorld.com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR, Canada
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*
Dave Crocker
2013-03-19 15:41:11 UTC
Permalink
Post by John R. Levine
You should recently have gotten a welcome to the new ASRG list.
When a continuing activity is re-homed, simply moving the list
membership subscriptions obviously makes sense.

When a derivative activity is started, the safer etiquette is to use the
original list for sending 'invitations' rather than automatically
subscribing folk.

Anyhow, I do wish this list would use the "[listname or topic]" prefix
convention for the Subject line. Presumably that wouold be "[asrg]".

d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
Paul Smith
2013-03-19 15:54:34 UTC
Permalink
Post by Dave Crocker
Anyhow, I do wish this list would use the "[listname or topic]" prefix
convention for the Subject line. Presumably that wouold be "[asrg]".
Yes please!



-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
John Levine
2013-03-19 16:05:41 UTC
Permalink
Post by Dave Crocker
Anyhow, I do wish this list would use the "[listname or topic]" prefix
convention for the Subject line. Presumably that wouold be "[asrg]".
It's a per-user option, since it provokes religious battles second
only to the reply-to header. If your MUA can't do adequate sorting
using the List-ID: header, write to ***@lists.gurus.org and send
it:

set asrg prefix

When your MUA later gets with the RFC 2919 program, send it:

set asrg noprefix

R's,
John

PS: You can also send

set asrg replyto

or

set asrg noreplyto
Dave Crocker
2013-03-19 16:11:46 UTC
Permalink
Post by John Levine
Post by Dave Crocker
Anyhow, I do wish this list would use the "[listname or topic]" prefix
convention for the Subject line. Presumably that wouold be "[asrg]".
It's a per-user option, since it provokes religious battles second
only to the reply-to header. If your MUA can't do adequate sorting
You are assuming my reason for making the request. There's a cliche
about assumptions.

In any event, like most of the rest of you, I'm subscribed to a very
large number of mailing lists. The vast majority -- possibly at the
level of rough consensus... -- do Subject-line labeling.

There's also the question of continuing existing practice from the
original list.

d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
Dave Crocker
2013-03-19 16:17:29 UTC
Permalink
It didn't occur to me that you were providing email-only guidance
because the site apparently doesn't have an interactive interface via
the web. This presumes that subscribers are expert in majordomo
esoterica, such as its command set.

And no List-Archive pointer is provided in the header.

Was the purpose in choosing this home for the new list to be as a
continuing reminder of the serious usability barriers for anti-abuse
schemes that burden end-users with having to know special details and
take special actions?

d/
Post by John Levine
Post by Dave Crocker
Anyhow, I do wish this list would use the "[listname or topic]" prefix
convention for the Subject line. Presumably that wouold be "[asrg]".
It's a per-user option, since it provokes religious battles second
only to the reply-to header. If your MUA can't do adequate sorting
set asrg prefix
set asrg noprefix
R's,
John
PS: You can also send
set asrg replyto
or
set asrg noreplyto
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
John Levine
2013-03-19 16:51:08 UTC
Permalink
Post by Dave Crocker
It didn't occur to me that you were providing email-only guidance
because the site apparently doesn't have an interactive interface via
the web.
You could ask.

http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

It's very powerful, but also complicated and confusing, one of the
reasons that mj2 never got mailman's mindshare.
Dave Crocker
2013-03-19 17:04:10 UTC
Permalink
Post by John Levine
Post by Dave Crocker
It didn't occur to me that you were providing email-only guidance
because the site apparently doesn't have an interactive interface via
the web.
You could ask.
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
1. That warrants another WTF. Ask what of whom? Why should such a
step be necessary? How are we supposed to have known? How is this level
of complexity reasonable in this day?

2. Bitdefender is blocking access to that URL, saying it's unsafe. I
don't much care what the explanations are or whether Bitdefender is
right or wrong. It's a mainstream product.

d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
John Levine
2013-03-19 18:06:18 UTC
Permalink
Post by Dave Crocker
2. Bitdefender is blocking access to that URL, saying it's unsafe. I
don't much care what the explanations are or whether Bitdefender is
right or wrong. It's a mainstream product.
It's a perl script running on my own server that hasn't changed in
years. Draw your own conclusions.

http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org/asrg
Dave Crocker
2013-03-20 15:10:46 UTC
Permalink
Post by John Levine
Post by Dave Crocker
2. Bitdefender is blocking access to that URL, saying it's unsafe. I
don't much care what the explanations are or whether Bitdefender is
right or wrong. It's a mainstream product.
It's a perl script running on my own server that hasn't changed in
years. Draw your own conclusions.
John,

That's not the point.

The operational framework for this new list was pretty common 20 years
ago but became archaic at least 15 years ago. Today, it smacks more of
macho geek elitism than facilitating productive use.

d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Jose-Marcio Martins
2013-03-19 19:46:02 UTC
Permalink
Post by Dave Crocker
2. Bitdefender is blocking access to that URL, saying it's unsafe. I
don't much care what the explanations are or whether Bitdefender is
right or wrong. It's a mainstream product.
I care if Bitdefender is right or wrong.

As a member of a research group or, in other words, I'm used to work in
a research environnment, or having a "research reasoning", at which
"it's a mainstream product" isn't a good enough argument. Usually I'd
try to understand why Bitdefender is blocking access to that URL.



--
Ian Eiloart
2013-03-20 11:43:28 UTC
Permalink
Post by John Levine
Post by Dave Crocker
It didn't occur to me that you were providing email-only guidance
because the site apparently doesn't have an interactive interface via
the web.
You could ask.
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
1. That warrants another WTF. Ask what of whom? Why should such a step be necessary? How are we supposed to have known? How is this level of complexity reasonable in this day?
From the List-help header. But the web interface isn't mentioned there. And even if it was, most people don't use mail clients that expose that header by default. There's an extension for Thunderbird, but it has less than 1000 users. And even when they can see such headers, links aren't usually made clickable. That's why most mailing lists add a footer, and hence why they usually break DKIM and S-MIME signatures.
2. Bitdefender is blocking access to that URL, saying it's unsafe. I don't much care what the explanations are or whether Bitdefender is right or wrong. It's a mainstream product.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148
Ian Eiloart
2013-03-20 12:10:08 UTC
Permalink
Post by John Levine
Post by Dave Crocker
It didn't occur to me that you were providing email-only guidance
because the site apparently doesn't have an interactive interface via
the web.
You could ask.
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
1. That warrants another WTF. Ask what of whom? Why should such a step be necessary? How are we supposed to have known? How is this level of complexity reasonable in this day?
From the List-help header. But the web interface isn't mentioned there. And even if it was, most people don't use mail clients that expose that header by default. There's an extension for Thunderbird, but it has less than 1000 users. And even when they can see such headers, links aren't usually made clickable. That's why most mailing lists add a footer, and hence why they usually break DKIM and S-MIME signatures.
Post by John Levine
Post by Dave Crocker
--
Stopping at signature separator. No more commands will be processed.
What I have to do is write "help" in the message body. So, the List-help header should read

<mailto:asrg-***@lists.gurus.org?subject=help&body=help,http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org?extra=asrg&func=lists-full-long> (List Instructions)

Because you can actually get directly to the ASRG list with this address:
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org?extra=asrg&func=lists-full-long
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148
Loading...